Hmmmm I am being super dumb I think. I’ve had Wireguard working perfectly with my own (Cloudflare) domain for well over a year, using the Cloudflared integration. It’s worked a treat. I previously used duckdns.
Yesterday I upgraded my HA from Pi 4 to Pi 5 by creating a backup, creating a new HA SSD using Pi imager and applying the backup. When the new system came up I put it on the old IP address on my LAN and gave the old system a different address so I could look at them side by side. I’ve not changed the routing in my router, which is still correct.
So much has happened since then but everything seems OK except Wireguard. From my Android it fails to handshake.
Wireguard and Cloudflared both look OK in the logs. I’ve not done any fancy configuration. Putting my domain name into a browser in a device not on my network takes me to my HA.
I’ve de- and re-installed both Wireguard and Cloudflared, rebooting probably more than necessary, and created a new connection on my Android each time, ensuring I am using the current QR code file, and made sure that the config matches my old config. The only difference I made to the Wireguard config was to change it to point at my domain instead of Duckdns. Also the server address change to 172.xx.xx.xx from 10.10.10.3 but I have tried changing that back with no change. I also changed the server to DuckDNS but that didn’t help.
So I still have the old HA online and if I change the port forward to that it still works on the old connection. So somewhere between Cloudflared and Wireguard something is not working but I have run out of ideas. The only stuff which looks useful in the log is below.
I’d be grateful for any ideas.
Log snippet:
01-08 19:34:40.908 8649 8690 D WireGuard/GoBackend/fd: peer(b2SZ…R0xA) - Sending handshake initiation
01-08 19:34:46.138 8649 8690 D WireGuard/GoBackend/fd: peer(b2SZ…R0xA) - Handshake did not complete after 5 seconds, retrying (try 2)
01-08 19:34:46.138 8649 8690 D WireGuard/GoBackend/fd: peer(b2SZ…R0xA) - Sending handshake initiation
01-08 19:34:51.239 8649 9310 D WireGuard/GoBackend/fd: peer(b2SZ…R0xA) - Handshake did not complete after 5 seconds, retrying (try 2)
Hello,
I have a problem seeing my ESP32 on the local network when using wireguard and remote connection over my iPhone hotspot.
The following log shows how the handshake is successful, first, on the local network and then, second, when I change the network to the iPhone hotspot as well. However, since it has connected to the iPhone hotspot, it shows “disconnected” in the ESP HOME dashboard, along with all sensors being unavailable, of course.
If I connect my iPhone to the VPN made by the wireguard addon, I have no traffic constraints. Therefore, I am not suspicious about traffic forwarding. Also, if I use SSH in home assistant addon to check forwarding, it shows everything is forwarded from the docker higher to my VM running HA.
Any idea what could be wrong?
[11:41:46] INFO: Requesting current status from WireGuard...
interface: wg0
public key: JFwkTW.....
private key: (hidden)
listening port: 51820
peer: KRmA........
endpoint: 62.178.21.xxx:59927
allowed ips: 192.168.3.2/32
latest handshake: 23 seconds ago
transfer: 2.38 KiB received, 41.29 KiB sent
persistent keepalive: every 25 seconds
peer: 3P5Jr1.........
allowed ips: 192.168.3.3/32
persistent keepalive: every 25 seconds
[11:42:17] INFO: Requesting current status from WireGuard...
interface: wg0
public key: JFwkT.....
private key: (hidden)
listening port: 51820
peer: KRm.....
endpoint: 37.48.24.xxx:18605
allowed ips: 192.168.3.2/32
latest handshake: 16 seconds ago
transfer: 2.55 KiB received, 41.41 KiB sent
persistent keepalive: every 25 seconds
peer: 3P5......
allowed ips: 192.168.3.3/32
persistent keepalive: every 25 seconds
Ah, ok, so that’s because the protocol is UDP but why somebody uses a term “handshake” when UDP does not support two way communication but just broadcast encrypted packets?
I am suspicious that my ISP Magenta in Vienna/Austria is blocking WireGuard. I tried WireGuard with my other server with Home Assitant in Prague/Czechia and it works immediately. I called them but they said nothing is blocked.
Have anybody dealt with the problem of being blocked by the ISP?
I am running a Wireguard server on the internet.
I would like to connect my HA (based on HAOS) with the server.
On my other devices (phone, PC, etc.) I am successfully using conf files likes this:
How can use a conf file with the add-on?
If that is not possible, how can I recreate my on YAML? It seems, not all parameters are accepted (i.e endpoint).
Edit:
I can see that there is a conf file in the file system, but it gets overwritten, when the add-on is started.
So finally resolved my problem and this SHOULD BE WRITTEN everywhere. Home Assistant DO NOT route from itself to the container of the WireGuard Addon for ESP Home or between the containers of WireGuard and ESP Home, simply routing inside home assistant does not work. The server, the addon, works for any other device but does not put the ESP device from the ESP home on the same network, it does not route between the subnets. It is a persistent problem for years, see here
My solution? A new TP Link router with built in wireguard server and everything works within a single second. I wasted about 50 hours of my life. Second problem was CGNAT when you have dynamic IP, so it works only on static IPs